Analysis Overview
SHA256
1fcaf14c2bf8df5d8fa0e8efcf728ba06f2d1fb7ef213d00d7b763031ff9a536
Threat Level: Known bad
The file tmpxtllxmbq was found to be: Known bad.
Malicious Activity Summary
Xworm
Xworm family
Detect Xworm Payload
LatentBot
Latentbot family
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-18 12:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-18 12:31
Reported
2025-04-18 12:33
Platform
win10v2004-20250410-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
Xworm
Xworm family
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe
"C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | cryptoghost.zapto.org | udp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| US | 8.8.8.8:53 | abolhb.com | udp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
Files
memory/544-0-0x00007FF946673000-0x00007FF946675000-memory.dmp
memory/544-1-0x00000000007A0000-0x00000000008FC000-memory.dmp
memory/544-2-0x00007FF946670000-0x00007FF947131000-memory.dmp
memory/544-3-0x0000000001110000-0x0000000001122000-memory.dmp
memory/544-4-0x00007FF946673000-0x00007FF946675000-memory.dmp
memory/544-5-0x00007FF946670000-0x00007FF947131000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-18 12:31
Reported
2025-04-18 12:33
Platform
win11-20250410-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
Xworm
Xworm family
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe
"C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| FR | 176.143.53.10:2000 | cryptoghost.zapto.org | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
| DE | 176.97.210.4:505 | abolhb.com | tcp |
Files
memory/5932-0-0x00007FFC844F3000-0x00007FFC844F5000-memory.dmp
memory/5932-1-0x0000000000870000-0x00000000009CC000-memory.dmp
memory/5932-2-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp
memory/5932-3-0x000000001B780000-0x000000001B792000-memory.dmp
memory/5932-4-0x00007FFC844F3000-0x00007FFC844F5000-memory.dmp
memory/5932-5-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp
memory/5932-6-0x00000000010A0000-0x00000000010A8000-memory.dmp